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Abstract 

We develop an incremental-tableau-based decision pro- 
cedure for the multi-agent epistemic logic MAEL(CD) 
(aka S5 n (CD)), whose language contains operators of 
individual knowledge for a finite set £ of agents, as 
well as operators of distributed and common knowl- 
edge among all agents in S. Our tableau procedure 
works in (deterministic) exponential time, thus estab- 
lishing an upper bound for MAEL(CD)-satisfiability 
that matches the (implicit) lower-bound known from 
earlier results, which implies ExpTime-completeness 
of MAEL(CD)-satisfiability. Therefore, our procedure 
provides a complexity-optimal algorithm for checking 
MAEL(CD)-satisfiability, which, however, in most cases 
is much more efficient. We prove soundness and com- 
pleteness of the procedure, and illustrate it with an exam- 
ple. 



1 Introduction 

Over the last two decades, multi-agent epistemic logics 
(El [8]) have played a significant role in computer science 
and artificial intelligence. The main application seems to 
have been to design, specification, and verification of dis- 
tributed protocols ([6]), but a plethora of other applica- 
tions are described in, among others, O, Q and 0. 

Languages of multi-agent epistemic logics considered 
in the literature contain various repertoires of modal oper- 
ators. In the present paper, we consider the "full" multi- 



agent epistemic logic, which we call MAEL(CD), whose 
language contains operators of individual knowledge for 
a non-empty, finite set £ of agents as well as operators 
of common (C) and distributed (D) knowledge among all 
agents in S. (Since all modal operators of MAEL(CD) 
are S5-modalities, the logic is also referred to in the 
literature as S5 n (CD)). To be used for such tasks as 
designing protocols conforming to a given specification, 
MAEL(CD), needs to be equipped with an algorithm 
checking for MAEL(CD)-satisfiability. The first step in 
that direction was taken in iflOll . where the decidability of 
MAEL(CD) has been established by showing that it has 
a finite model property. This result was proved in ITuI 
via filtration; therefore, the decision procedure suggested 
by that argument is based on an essentially brute-force 
enumeration of all finite models for MAEL(CD), which 
suggest a satisfiability-checking algorithm that is theoreti- 
cally important, but of limited practical value. Our tableau 
procedure has, in comparison, the following advantages: 

1. It establishes a (deterministic) ExpTime upper- 
bound for MAEL(CD)-satisfiability, which matches 
the lower-bound that follows from the results of Q. 

2. It provides an algorithm for checking MAEL(CD)- 
satisfiability that is not only provably complexity- 
optimal, but which in the vast majority of cases re- 
quires much less resources than what is predicted 
by the worst-case upper bound. This is one of the 
hallmarks of incremental tableaux ([11]) as opposed 
to the top-down tableaux in the style of [1|, which 
always require the amount of resources predicted 



by the worst-case complexity estimate. Top-down 
tableaux for the fragment of MAEL(CD) not con- 
taining the operator of distributed knowledge have 
been presented in Q- 

The type of incremental tableau developed herein orig- 
inates in ifTTl ; tableaux in a similar style were recently 
developed for the multi-agent logic ATL and some of its 
variations in Q. Thus, the present paper continues the 
enterprize of designing complexity-optimal decision pro- 
cedures for logics used in design, specification and veri- 
fication of multi-agent systems (dill))- The particular 
style of the tableaux presented here is meant to be com- 
patible with the tableaux from [5 1, so that we can in the fu- 
ture build tableaux for more sophisticated logics for multi- 
agent systems. 

The main reason for the restriction of the distributed 
and common knowledge operators only to be (implicitly) 
parameterized by the whole set of agents referred to in the 
language, adopted in this paper, is to be able to present 
the main ideas and features of the tableaux in sufficient 
detail, while avoiding some additional technical compli- 
cations arising in the case of several such operators, each 
one associated with a non-empty subset of the set of all 
agents. This, more complicated, case will be treated in a 
follow-up paper. 

2 Syntax and semantics of 
MAEL(CD) 

2.1 Syntax 

The language C of MAEL(CD) contains a (possibly, 
countably-infinite) set AP of atomic propositions, typi- 
cally denoted by p, q,r, . . .; a finite, non-empty set £ of 
(names of) agents, typically denoted by a, b . . .; a suffi- 
cient repertoire of the Boolean connectives; and the modal 
operators K a ("the agent a knows that . . . "), D ("it is dis- 
tributed knowledge among £ that . . . ") and C ("it is com- 
mon knowledge among £ that . . .")■ Thus, the formulae 
of C are defined as follows: 

<p:=p\ ->(tp) | {<pi A <p 2 ) | K a (<p) | D(^) | C(tp), 

where p ranges over AP and a ranges over S. The other 
boolean connectives can be defined in the usual way. We 



omit parentheses in formulae whenever it does not re- 
sult in ambiguity. We denote arbitrary formulae of C by 
tp, ip, Xi ■ ■ ■ (possibly with decorations). We write ip <E C 
to mean that ip is a formula of C. Formulae of the form 
-^dp are called eventualities. 

2.2 Semantics 

Formulae of C are interpreted over multi-agent epistemic 
models, based on multi-agent epistemic frames. We will 
also need a more general notion of multi-agent epistemic 
structure. 

Definition 2.1 A multi-agent epistemic structure (MAES, 
for short) is a tuple 6 = (£, S, {7?. a } ae £, TZd, TZc), 
where 

1. £ is a finite, non-empty set of agents; 

2. S ^|is a set of states; 

3. TZd and TZ a , for each a G S, are binary relations on 
S; 

4. IZc is the transitive closure of TZd U U aeT,TZ a - 

Definition 2.2 A multi-agent epistemic frame (MAEF, for 
short) is a MAES ^ = (S, S, {TZa\ a eT,,TZo ,TZc), where 

(a) TZd and TZ a , for every a £ E, are equivalence rela- 

tions on S; 

(b) TZ D = n aeT,TZ a . 

If condition (b) above is replaced with 
(60 TZ D C H aes^a, 

then ^ is a multi-agent epistemic pseudo-frame. 

Notice that in (pseudo-)frames condition 4 of defini- 
tion 12.11 is equivalent to the requirement that TZc is the 
transitive closure of (J a£ ^TZ a . Also notice that, as in any 
MAEF each TZ a is an equivalence relation, TZc is a ls° an 
equivalence relation. 

Definition 2.3 A multi-agent epistemic model (MAEM, 
for short) is a tuple A4 = (3, AP, L), where 

(i) $ is a MAEF; 

(ii) AP is a (possibly, infinite) set of atomic propositions; 
(Hi) L : S >—> V(AP), is a labeling function, where L(s) 

is the set of all atomic propositions that are declared 
true at s. 
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If condition (i) above is replaced by the requirement that 
$ is a multi-agent epistemic pseudo-frame, then M. is a 
multi-agent epistemic pseudo-model (pseudo-MAEM). 

The satisfaction relation between (pseudo-)MAEMs 
and formulae is defined in the standard way. In particular, 

• M, s h K a tp iff (s, t) G TZ a implies M, t lh tp; 

• M, s lh Dp iff (s. t) G 7^,0 implies .M, t lh ip; 

• 7W, s lh C</3 iff (s, t) G He implies M,t lh ip. 

The truth condition for the operator C can be para- 
phrased in terms of reachability. Let 5 be a (pseudo- 
)frame with state space S and let s, t G S. We say 
that t is reachable from s if there exists a sequence 
s = so, si, ... , s n _i, s„ = i of elements of 5 such that, 
for every < i < n, there exists a 6 £ such that 
(sj, Sj+i) G i? a - It is then easy to see that the following 
truth condition for C is equivalent in (pseudo-)MAEMs 
to the one given above: 

• A4,s lh Cip iff A4,t lh ip whenever t is reachable 
from s. 

Notice that if £ = {a}, then the formulae K a </3 «-> Dy> 
and K a </? <-> Cyj are valid for all ip G £, so the one- 
agent case is trivialized. Thus, we assume throughout the 
remainder of the paper that £ contains at least 2 agents. 

Definition 2.4 (Satisfiability and validity) 

• Let ip G C and M. be a MAEM. We say that tp is 
satisfiable in M. if A4,s lh tp holds for some s E M 
and that ip is valid in M. if A4, s lh ip holds for every 
seM. 

• Let ip G C and M be a class of models. We say that 
ip is satisfiable in M if M., s lh ip holds for some 
M. G M and some s G M and that ip is valid in 
M if A4, s lh ip holds for every M. G M and every 
■s G M. 

The goal of this paper is to develop a sound, complete, 
and complexity-optimal tableau-based decision procedure 
for testing satisfiability, and hence also validity, of formu- 
las of C in the class of all MAEMs; in other words, the 
procedure tests for the belonging of formulae of C to the 
logic MAEL(CD), which is the logic of all such models. 



3 Hintikka structures 

The ultimate purpose of the tableau procedure we develop 
is to check if the input formula is satisfiable in a MAEM. 
However, the tableau attempts not to directly construct a 
MAEM for the input formula, but to build a more gen- 
eral kind of semantic structure, viz. a Hintikka structure 
(which are, therefore, used in proving completeness of our 
tableaux). The basic difference between models and Hin- 
tikka structures is that while models determine the truth 
of every formula of the language at every state, Hintikka 
structures only provide truth values of the formulae rel- 
evant to the evaluation of a fixed formula 9. Another 
important difference is that the accessibility relations in 
models must satisfy the explicitly stated conditions of 
definition 12.21 while in Hintikka structures we only im- 
pose conditions on the sets of formulas in the labels of 
the states, which correspond to the desirable conditions 
on the accessibility relations. Even though no conditions 
are implicitly imposed on the accessibility relations them- 
selves, the labeling is done is such a way that every Hin- 
tikka structure generates, by a construction described in 
the proof of lemma [331 a MAEM in such a way that the 
"truth" of the formulas in the labels is preserved in the 
resultant model (whose relations satisfy all conditions of 
definition ^. 21 i. 

To define Hintikka structures, we need the following 
auxiliary notion, inspired by [7|. 

Definition 3.1 A set A C C is fully expanded it satis- 
fies the following conditions (Sub(<y9) stands for the set of 
subformulae of the formula ip): 

• if -i— i(p G A, then tp G A; 

• if ip A ip G A, then tp G A and "0 G A; 

• if->(<p A ip) G A, then -up G A or ->tp G A; 

• ifK. a tp G IS., for some a G £, then Dtp G A; 

• if Dtp G A, then tp G A; 

• ifCip G A thenK a (tpACtp) e Aforeverya G £; 

• if -iC tp G A, then -^K. a (p A Cip) G A for some 
a G £; 

• if tp G A and ip G Sub((^) is of the fo mi K a x or 
D\, then either ip G A or ->ip G A. 

Definition 3.2 A multi-agent epistemic Hin- 
tikka structure (MAEHS for short) is a tuple 
(£,5, {TZa}aeT,,TlD,Tic-, H) such that 
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• (Z,S,{K a } aeS ,ll D ,nc)isaMAES; 

• H is a labeling of the elements of S with formulae of 
C that satisfies the following constraints: 

HI if^tp G H(s), then p H(s); 
H2 H (s) is fully expanded, for every s G S; 
H3 if "K.q.'-P £ H(s) and (s,t) G lZ a , then p G 
H(t); 

H4 if -iK a (p G H(s), then there exists t G S smc/i 

f/iaf (s, i) G !Z a and -up G H(t); 
H5 if (s,t) G 7\L a , f/zen K a ^ G iJ(s) iffK a p G 

H6 //D(y5 G if (s) and (s, t) G 7?._d, then p G if (t); 
H7 if ->Dp G H(s), then there exists ( £ S smc/i 

that (s,t) G 7£d and —up G H(t); 
H8 r/(s,i) G ^d, f/ien D<p G ff(s) iffTiip G 
andK a p G iT(s) #K Q (^ G H(t),for 

every a G S; 

H9 if ->Cp G H(s), then there exists t G 5 smc/i 
f/ja? (s, £) G 7?-c fln ^ ""^ 6 H{t). 

Definition 3.3 Let 9 E £ and H be a MAEHS with state 
space S. We say that Ti is a MAEHS for 9 if 6 G H(s)for 
some s G S. 

Now we will prove that 9 G C is satisfiable in the class 
of all MAEMs iff there exists a MAEHS for 9. This will 
allow us to design our tableau procedure to test for the 
existence of a MAEHS, rather than a MAEM, for the input 
formula. 

Given a MAEM M. with a labeling function L, we de- 
fine the extended labeling function L + : S i— > V(C) on 
M as follows: L + (s) = {<p> \ M,s lh p>}. Then, the 
following is straightforward. 

Lemma 3.4 Let M = (S, 5, {K a } ae z, K D , TZ C , L) be 
a MAEM satisfying 9 and let L + be an extended label- 
ing on Ai. Then, (£, S, {TZ a } a e^i ^c, L + ) is a 
MAEHS for 9. 

Next, we prove the opposite direction. 

Lemma 3.5 Let 9 G Cbe such that there exists a MAEHS 
for 9. Then, 9 satisfiable in a MAEM. 



Proof. Let 9 G C and H = 

(^,S,{TZ a } ae ^,n D ,n c ,H) be an MAEHS for 9. 
First, we define, using H, a pseudo-MAEM Ai' sat- 
isfying 9; then, we turn Ai' into a MAEM satisfying 
9. 

Ai' is defined as follows. First, for every a G E, 
let TZ' a be the reflexive, symmetric, and transitive clo- 
sure of 7Z a U TZd\ let TZ-'d be the reflexive, symmet- 
ric, and transitive closure of 7Zd\ and let 1Z' C be the 
transitive closure of |J ae ^TZ' a . (Notice that Tic ^ 
K' c .) Second, let AP = {p G H(t) \ t G 
S and p is an atomic proposition }. Finally, let L(s) = 
H (s) n AP for every s G S. It is then straightforward 
to check that X' = (T,,S,{n' a } aeJ :,7l' D ,1Z' c ,AP,L) is 
a pseudo-MAEM (recall definition |2.3l >. 

Next, we prove, by induction on the structure of x G £ 
that, for every s £ 5 and every \ G C, the following hold: 

i) X G H(s) implies Ai' ', s h x, and 

ii) ->x G -ff (s) implies .M', s II — <x- 

Let x be some p G AP. Then, p G H(s) implies p G 
L(s) and, thus, s lh p; if, on the other hand, -<p g 
i?(s), then due to (HI), p £ H(s) and thus p g L(s); 
hence, Ai' , s II — <p. 

Assume that the claim holds for all subformulae of x; 
then, we have to prove that it holds for x, as well. 

Suppose that \ is -up. If -up G H(s), then the inductive 

hypothesis immediately gives us A4', s II <ip; if, on the 

other hand, -i—«p G H(s), then by virtue of (H2), p G 
H (s) and hence, by inductive hypothesis, Ai', s lh ip and 
thus Ai', s II — t-iip. 

The case of x = p A ip is straightforward, using (H2). 

Suppose that \ is K„^. Assume, first, that K a y> G 
H(s). In view of inductive hypothesis, it suffices to show 
that (s, t) G 7?/ a implies p G if(i). So, assume that 
(s,t) G 7?.^. There are two cases to consider. If s = t, 
then the conclusion immediately follows from (H2). If, 
on the other hand, s ^ t, then there exists an undirected 
path from s to t along the relations lZ a and TZd- Then, 
in view of (H5) and (H8), K a tp G H(t); hence, by (H2), 
p G H(t). 

Assume, next, that ~^K. a p G H(s). In view of the 
inductive hypothesis, it suffices to show that there exist 
t G S such that (s,t) G K' a and -<p G H(t). By (H4), 
there exists t E S such that (s, <) G 7?. Q and -up G 
As 7?. a C TZ' the desired conclusion follows. 
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The case of x = is very similar to the previous one 
and is left to the reader. 

Suppose now that \ is Cy>. Assume that Cip G H(s). 
In view of the inductive hypothesis, it suffices to show 
that if (s,t) G 1Z' C , then <p G H(t). So, assume that 
(s, t) G 7Z' C , i.e., either s = t or, for some n > 1, there 
exists a sequence of states s = sq, a\, . . . , s„_i, s n = t 
such that, for every < i < n, either there exists a G E 
such that (s,,Sj+i) G 7£ or (sj,Sj+i) G 7^£>. In the 
former case, the desired conclusion follows from (H2); in 
the latter, it follows from (H2), (H3), and (H8). 

Assume, on the other hand, that -iCip G H(s). Then, 
the desired conclusion follows from (H9), the fact that 
IZc C 1Z' C , and inductive hypothesis. 

To finish the proof of the lemma, we convert M! 
into a MAEM M" in a truth-preserving way. To that 
end, we use a variation of the construction known as 
tree-unwinding (see, for example, (4); first applied 
in the context of epistemic logics with the operator 
of distributed knowledge in |3| and Q). The only 
difference between our construction and the standard 
tree-unwinding is that, in the tree we produce, all edges 
labeled by D (representing the tree's relation IZ 1 ^) also 
get labeled (unlike in the standard tree-unwinding) by 
all agents in E, too; all other transitions are labeled by 
single agents, as in the standard tree-unwinding. To 
obtain M," , we take 1Z" D to be the reflexive, symmetric, 
and transitive closure of IZ 1 ^ and 1Z" a , for every a G E, 
to be the reflexive, symmetric, and transitive closure of 
1Z T ; finally, we take TZq to be the reflexive closure of 
U a€sK'- I* i s routine to check that Ai" is bisimilar to 
M! and, therefore, satisfies 9 at its root. To complete the 
proof, all we have to show is that M." is a MAEM; i.e., 
the equality VJ' D = f| „ eS ^' holds. The left-to-right 
direction is immediate from the construction. For the 
right-to-left direction assume that (s,t) G 1Z" holds for 
every a G E; i.e, there is an undirected path between s 
and t along IZj for every a G E. As we are in a tree 
and E contains at least two agents, this is only possible 
if there is an undirected path between s and t along IZj) 
since we only connected nodes of the tree by multiple 
agent relations if these nodes were connected by TZ^. 
Therefore, (s,t) G TZ'[,, as desired. □ 

Theorem 3.6 Let 9 G C. Then, 9 is satisfiable in a 



MAEM iff there exists a MAEHSfor 9. 

Proof. Immediate from lemma [3~4l and lemma [331 □ 



4 Tableau procedure for 
MAEL(CD) 

Traditionally, tableaux work by decomposing the formula 
whose satisfiability is being tested into "semantically sim- 
pler" formulae. In the classical propositional case, "se- 
mantically simpler" implies "smaller", which by itself 
guarantees termination of the procedure. Another feature 
of the tableau method for the classical propositional logic 
is that this decomposition into simpler formulae results 
in a simple tree, representing an exhaustive search for a 
model — or, to be more precise, a Hintikka set (the clas- 
sical analogue of Hintikka structures) — for the input for- 
mula. If at least one leaf of the tree produces a Hintikka 
set for the input formula, the search has succeeded and the 
formula is pronounced satisfiable. 

These two defining features of the classical tableau 
method do not emerge unscathed when the method is ap- 
plied to logics containing fixed point operators, such as C 
(or, for example, the U and ->□ operators of the linear- 
time temporal logic LTL). Firstly, decomposing (in ac- 
cordance with the clauses in the definition of a fully ex- 
panded set above) of formulae of the form Cip produces 
formulae of the form K a (<yS A Cip), which are "semanti- 
cally simpler", but not smaller than the original formula. 
Hence, we cannot take termination for granted and need to 
take special precautions to guarantee it — in our tableaux, 
we do so by deploying prestates, whose role is to ensure 
that the whole construction is finite. Secondly, in the clas- 
sical case, the only reason why it might turn out to be im- 
possible to produce a Hintikka set for the input formula is 
that every attempt to build such a set results in a collec- 
tion of formulae containing an inconsistency. In the case 
of MAEL(CD), there are other such reasons; the most im- 
portant of them has to do with eventualities: semantically, 
the truth of an eventuality ->C(p at state s of a model re- 
quires that there is a path form s to a state t satisfying -^ip. 
The analogue of this semantic condition in the tableau we 
refer to as realization of eventualities. Apart from consis- 
tency requirement on a "good" tableau, all eventualities in 
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such a tableau should be realized. (A third, more techni- 
cal reason why a tableau might fail to represent a MAEHS 
will be mentioned in due course.) 



4.1 Overview of the tableau procedure 

In essence, the tableau procedure for testing a formula 
9 G C for satisfiability is an attempt to construct a non- 
empty graph T e , called a tableau, representing all possi- 
ble MAEHS s for 9 (in the sense made precise later on). 
If the attempt is successful, 9 is pronounced satisfiable; 
otherwise, it is declared unsatisfiable. 

The tableau procedure consists of three major phases: 
construction phase, prestate elimination phase, and state 
elimination phase. Accordingly, we have three types of 
tableau rules: construction rules, a prestate elimination 
rule, and state elimination rules. The procedure itself es- 
sentially specifies in what order and under what circum- 
stances these rules should be applied. 

During the construction phase, the construction rules 
are used to produce a directed graph V — called the 
pretableau for 9 — whose set of nodes properly contains 
the set of nodes of the tableau T that we are building. 
Nodes of V 9 are sets of formulae, some of which, called 
states, are meant to represent states of a Hintikka struc- 
ture, while others, called prestates, fulfill a purely techni- 
cal role of to keeping V B finite. During the prestate elim- 
ination phase, we create a smaller graph 7q out of V e , 
called the initial tableau for 9, by eliminating all prestates 
of V e (and tweaking with its edges) since prestates have 
already fulfilled their function: as we are not going to 
add any more nodes to the graph built so far, the pos- 
sibility of producing an infinite structure is no longer a 
concern. Lastly, during the state elimination phase, we 
remove from T® all states, if any, that cannot be satisfied 
in any MAEHS, for one of the following three reasons: 
either the state is inconsistent, or it contains an unreal- 
ized eventuality, or it does not have all successors needed 
for its satisfaction. The elimination procedure results in 
a (possibly empty) subgraph T e of 7g , called the final 
tableau for 9. Then, if we have some state A in T con- 
taining 9, we declare 9 satisfiable; otherwise, we declare 
it unsatisfiable. 



4.2 Construction phase 

At this phase, we build the pretableau V e — a directed 
graph whose nodes are sets of formulae, coming in two 
varieties: states and prestates. States are meant to rep- 
resent states of a MAEHS which the tableau attempts 
to construct, while prestates are "embryo states", which 
will in the course of the construction be "unwound" into 
states. Technically, states are fully expanded (recall defi- 
nition lXTT l. while prestates do not have to be so. 

Moreover, V e will contain two types of edges. As we 
have already mentioned, our tableaux attempt to produce 
a MAEHS for the input formula; in this attempt, they 
set in motion an exhaustive search for such a MAEHS. 
One type of edge, depicted by unmarked double arrows 
==>, will represent this exhaustive search dimension of 
our tableaux. Exhaustive search looks for all possible al- 
ternatives, and in our tableaux the alternatives will arise 
when we unwind prestates into states; thus, when we draw 
an unmarked arrow from a prestate V to states A and A' 
(depicted as T => A and V =^> A', respectively), this 
intuitively means that, in any MAEHS, a state satisfying 
r has to satisfy at least one of A and A'. 

Given a set V C £, we say that A is a minimal fully 
expanded extension of T if A is fully expanded, T C A, 
and no A' is such that T C A' C A and A' is fully 
expanded. 

Our first construction rule, (SR), tells us how to create 
states from prestates. (Throughout the presentation of the 
rules, the reader can refer to the example given below to 
see how they are applied in particular cases.) 

(SR) Given a prestate T, do the following: 

1 . add to the pretableau all minimal fully expanded ex- 
tensions A of T as states; 

2. for each so obtained state A, put V => A; 

3. if, however, the pretableau already contains a state 
A' that coincides with A, do not create another copy 
of A', but only put T A'. 

We denote the finite set of states created by applying 
(SR) to a prestate T by states (T). 

The second type of edge featuring in our tableaux rep- 
resents accessibility relations in MAEHSs. Accordingly, 
this type of edge will be represented by single arrows 
marked with formulas whose presence in the source state 
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requires the existence of a target state reachable by a par- 
ticular relation. As there are two such kinds of formulae, 
~^K. a ip and -iD<p (see conditions (H4) and (H7) in the def- 
inition of MAEHS), we will have single arrows marked 
by formulas of one of these two types. Intuitively if, say 
->K a <£ G A, then we need some prestate Y containing -up 
to be accessible by a relation 1Z a ; however, we mark this 
single arrow not just by agent a, but by formula -^K a <p, 
which helps us remember not just what relation connects 
states satisfying A and Y, but why we had to create this 
particular Y. This information will prove crucial when we 
start eliminating prestates and then states. 

The two remaining construction rules, (KR) and (DR), 
tell us how to create prestates from states. These rules do 
not apply to patently inconsistent states as such states can 
not be satisfied in any MAEHS. 

(KR) Given a state A such that -K a <p G A, for some 
a G S, and there is no % G £ such that both x G A and 
^X G A, do the following: 

1. create a new prestate Y = {^p} U { K a ?/> | K a ip G 
A} U {^K a iP I -K a VG A}; 

2. connect A to T with ~^f; 

3. if, however, the tableau already contains a prestate 
T' = T, do not add to it another copy of Y', but 

simply connect A to Y' with ~^^f . 

(DR) Given a state A such that -Dtp G A and there 
is no x G C such that both x G A and ->x G A, do the 
following: 

1. create a new prestate T = {-up} U { T>ip | Dtp G 
A} U {-DV | -D^ G A} U {K aX | K aX G 
A, a G S } U { -K a x | -K aX G A, a G £ }; 

2. connect A to Y with - — t; 

3. if, however, the tableau already contains a prestate 
T' = T, do not add to it another copy of Y', but 

simply connect A to Y' with . 

It should be noted that, in the pretableau, we never cre- 
ate in one go full-fledged successors for states; i.e., we 
never draw a marked arrow from state to state; such ar- 
rows always go from states to prestates. On the other 
hand, unmarked arrows connect prestates to states. 

When building a tableau for a formula 0, the construc- 
tion stage starts off with creating a single prestate {6*}. 



Afterwards, we alternate between applying rules creating 
states and those creating prestates: first, (SR) is applied to 
the prestates created at the previous stage of the construc- 
tion, then (KR) and (DR) are applied to the states created 
at the previous stage. The construction phase comes to 
an end when every prestate required to be added to the 
pretableau has already been added (as prescribed in point 
3 of (SR)), or when we end up with states to which neither 
(KR) nor (DR) is applicable (i.e. states not containing 
formulas of the form -K a <p or -Dip or containing patent 
inconsistencies). 

4.3 Termination of construction phase 

As we identify states and prestates whenever possible, to 
prove that the above procedure terminates, it suffices to 
establish that there are only finitely many possible states 
and prestates. To that end we use the concept of the ex- 
tended closure of a formula 0. 

Definition 4.1 Let 9 G C. The closure of 0, denoted c\{6), 
is the least set of formulae such that: 

• 9 G cl(0); 

• c\(9) is closed under subformulae; 

• if~K a p G c\(9) for some a G X, then Dtp G c\(9); 

• if dtp G cl(0), then ~K a (tp A Cip) G cl(0) for every 
aGS. 

Definition 4.2 Let 9 e C. The extended closure of 9, 
denoted eel (9), is the least set such that iftpG c\(9), then 
tp, -up G ecl(0). 

It is straightforward to check that ecl(0) if finite for ev- 
ery and that all state and prestates of V e are subsets of 
ecl(0); hence, their number is finite. 

4.4 Prestate elimination phase 

At this phase of the tableau procedure, we remove from 
V e all prestates and all unmarked arrows, by applying the 
following rule: 

(PR) For every prestate Y in V e , do the following: 

1. remove Y from V 6 \ 

2. if there is a state A in T> 6 with A -^-> Y, then for 
every state A' G states(T), put A -^-> A'; 
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We call the graph obtained by applying (PR) to V the 
initial tableau, denoted by T®. 

4.5 State elimination phase 

During this phase, we remove from T® nodes that cannot 
be satisfied in any MAEHS. There are three reasons why a 
state A of can turn out to be unsatisfiable: A contains 
an inconsistency, or satisfiability of A requires satisfia- 
bility of some other unsatisfiable "successor" states, or A 
contains an eventuality that is not realized in the tableau. 
Accordingly, we have three elimination rules, (E1)-(E3). 

Technically, the state elimination phase is divided into 
stages; at stage n + 1 we remove from the tableau 7^f 
obtained at the previous stage exactly one state, by apply- 
ing one of the elimination rules, thus obtaining the tableau 
7^f +1 . We now state the rules governing the process. The 
set of states of the tableau 7^ is denoted by S^. 

(El) If {(p, -><£>} CAe S 9 n , then obtain T r e l+1 by elim- 
inating A from T£ . 

(E2) If A contains a formula \ of the form -iK tt y> or 
-iD<p and all states reachable from A by single arrows 
marked by \ have been eliminitated at previous stages, 
obtain by eliminating A from T®. 

To formulate the third elimination rule, we need the 
concept of eventuality realization. We say that -*C<p 
is realized at A in T® if there exists a path A = 
Ao,Ai,...,A m such that -itp E A m and, for every 
< i < to, there exist \ such that A, — — » A»+i. 

Realization of eventuality -^Cip at A in 1% can be eas- 
ily checked by computing the rank of every A 6 5j with 
respect to -X2y> in T®, denoted by rank(A, ~^Cip, T^). 
Intuitively, the rank of A in represents the length of 
the longest path in from A to a state containing -up. 
If no such path exists, the rank of A is u) (the first infi- 
nite ordinal). Formally, the rank is computed as follows. 
At first, if -up E A, set rank(A, ->Cy>, 1%) = 0; oth- 
erwise, set rank(A, -iC(p, T^) = u>. Afterwards, repeat 
the following procedure until no changes in the rank of 
any state occurs: rank(A, ->C(p, T^) = 1 + max{r x }, 
where r x = min{ rank(A', -<C<p, T® ) | A A' }. 
Now, we can state our last rule. 



(E3) If A E S„ contains an eventuality -iCy that is 
not realized at A in T® (i.e., if rank(A, -iCcp,7%) = w), 
then obtain T® +1 by removing A from T®. 

We have thus far described the individual rules; to de- 
scribe the state elimination phase as a whole, it is crucial 
to specify the order of their application. 

First, we apply (El) to all states of Tq ; it is clear that, 
once this is done, we do not need to go back to (El) again. 
The cases of (E2) and (E3) are slightly more involved. 
Having applied (E3) to the states of the tableau, we could 
have removed, for some A, all states accessible from it 
along the arrows marked with some formula hence, we 
need to reapply (E2) to the resultant tableau to get rid of 
such A's. Conversely, having applied (E2), we could have 
removed some states that were instrumental in realizing 
certain eventualities; hence, having applied (E2), we need 
to reapply (E3). Furthermore, we can't stop the proce- 
dure unless we have checked that all eventualities are re- 
alized. Thus, what we need is to apply (E3) and (E2) in a 
dovetailed sequence that cycles through all eventualities. 
More precisely, we arrange all eventualities occurring in 
the tableau obtained from T® after having applied (El) in 
the list £1, . . . , £ m . Then, we proceed in cycles. Each cy- 
cle consists of alternatingly applying (E3) to the pending 
eventuality, and then applying (E2) to the tableau result- 
ing from that application, until all eventualities have been 
dealt with; once we reach £ m , we loop back to £1, The 
cycles are repeated until, having gone through the whole 
cycle, we have not removed any states. 

Once that happens, the state elimination phase is over. 
We call the resultant graph the final tableau for 9 and de- 
note it by T s and its set of states by S e . 

Definition 4.3 The final tableau T e is open if 9 & A for 

some A E S e ; otherwise, T e is closed. 

The tableau procedure returns "no" if the final tableau is 
closed; otherwise, it returns "yes" and, moreover, pro- 
vides sufficient information for producing a finite model 
satisfying 9; that construction is described in section 15721 

Example 1 Let's assume that E = {a, b} and construct a 
tableau for the formula "K. a p A K^p A T) Cp. The picture 
below shows the complete pretableau for this formula. 
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XO = -DCp, xi = -K (p A Cp), X 2 = -K 6 (p A Cp); 
T = {K a p A K(,p A -DCp}; 

Aj = {K„p A K b p A nDCp, K a p, K iP , ^DCp, Dp, p}; 
ri = {-Cp,K a p,K t p^DCp,Dp}; 
A 2 = {^Cp, K a p, Kip^DCp, Dp, p,^K„(p A Cp)}; 
A 3 = {-Cp, K a p,K 6 p, ^DCp, Dp,p, -K t (p A Cp)}; 
T 2 = {-(p A Cp), K a p, -K a (p A Cp)}; 
T 3 = {-Cp,K p,K 6 p,-DCp,Dp,-K a (pACp)}; 
A 4 = {— p, K a p, — K a (p A Cp), Dp,p}; 
A 5 = {-Cp,K a p,-K a (pACp),Dp,p}; 
A 6 = {-Cp, K a p, -K a (p A Cp), Dp, p, -Ki,(p A Cp)}; 
A 7 = {-Cp, K a p, K t p, -DCp, Dp, -K a (p A Cp),p}; 
A s = {-Cp, K a p, Ktp, -DCp, Dp, -K„(p A Cp),p, 
-K(,(pACp)} 

T 4 = {-Cp, K a p, K 6 p, -D Cp, Dp, -K(,(p A Cp)} 
T 5 = {-(p A Cp), K b p, -K 6 (p A Cp)} 

A 9 = {-Cp,K p,K 6 p,-DCp,Dp,-K 6 (pACp),-K (pA 
CP)} 

Aio = {-Cp,K a p,K 6 p,-DCp,Dp,-K 6 (pACp),p} 
A n = {-p,K f) p,-K b (pACp),Dp,p} 
A12 = {-Cp,K i ,p,-K f) (pACp),-K a (pACp),Dp,p} 
A13 = {-Cp,K 6 p,-K 6 (pACp),Dp,p} 
T 6 = {-Cp,K a p,K 6 p,-DCp,Dp,-K (pACp),-K 6 (pA 
Cp)} 

A w = {-Cp,K a p,K 6 p,-DCp,Dp,-K a (pACp),-K 6 (pA 
Cp),p} 

r 7 = {-(pACp)} 

A15 = {-p}; 

Aie = {-Cp,-K a (pACp}; 
A i7 = {-Cp, -K 6 (p A Cp} 



For lack of space, we do not depict the initial and final 
tableaux for the input formula, but briefly describe what 
happens at the state elimination stage. States A4 and An 
get removed due to (El), as they contain patent inconsis- 
tencies. A14 gets removed due to (E3), since it contains 
an eventuality -Cp which is not realized in the tableau, 
as the rank of An stabilizes at u), because it does not con- 
tain — p, and is its only successor. Then Ag and Ag get re- 
moved, as their only successor along xo, namely A14 has 
been removed. All other states remain in place; in partic- 
ular, all of them receive a finite rank, because from each 
of them one can reach the state A15, which contains -p. 
The resultant graph encodes all possible Hintikka struc- 
tures for the input formula. 

We note that our tableaux never close on account of all 
states obtained from the initial prestate containing unful- 
filled eventualities (we omit the formal proof of this claim 
due to lack of space). The rule (E3), however, as can be 
seen from the example above, eliminates from the tableau 
"bad" states, thus making our tableau not only test a for- 
mula for satisfiability, but actually, for every satisfiable 
formula 9, produce a graph "containing" all possible Hin- 
tikka structures for 9 (i.e, whenever a node of the graph 
is connected to several other nodes by arrows marked by 
the same formula, these "target" nodes are not meant to 
be part of the same MAEHS for 9, but rather represent 
alternative ways of building a MAEHS for 9). 

5 Soundness and completeness 
5.1 Soundness 

The soundness of a tableau procedure amounts to claim- 
ing that if the input formula 9 is satisfiable, then the 
tableau for 9 is open. To establish soundness of the over- 
all procedure, we prove a series of lemmas that show that 
every rule is sound; the soundness of the overall proce- 
dure will then easily follow. The proofs of the following 
three lemmas are straightforward. 

Lemma 5.1 Let Tbea prestate ofV 6 such that M, s h V 
for some MAEM M and s e M. Then, M,s h A holds 
for at least one A g states (r). 

Lemma 5.2 Let A e Sq be such that M , s lh A for some 
MAEM M and s G M, and let -K a <£ e A. Then, there 
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exists t £ At such that (s,t) £ 7?. a anc/ At, t Ih {""p} U 

{K^|K a ^eA}u{^M| -MeA}. 

Lemma 5.3 Lef AeSjie rac/i f/;af At, s Ih A /or some 
MAEM At and s £ At, and Zef -iDy> £ A. 77zen, there 
exists t £ At smc/! f/za? (s, t) £ 7£d and M., t h {-ly} U 
{ | D-0 £ A } U { -.D^ | ->DV> £ A } U { K a x | 
K aX £ A, a £ S } U { -K aX | -K aX £ A, a £ E }. 

Lemma 5.4 Lef A £ S® be such that At, s Ih A/or some 
MAEM At and s £ At, and let ->Cip £ A. Then, -iC<p 
is realized at A in T®. 

Proof. As A is fully expanded, ->K a (y A £ A for 
some a £ S, and thus At, s Ih -iK (</j A dp). There- 
fore, there exists si £ At such that (s,s±) £ 7?. a and 
At,si Ih -i((p A Cy>). By construction of the tableau, 
At,si Ih r holds for the prestate V associated with 
-iK Q (( y 9 A dp), i.e. such T that ->(<p A C<^) £ T. Now, 
there exists Ai £ states(r) such that At,si Ih Ai. 
Indeed, elements of states (r) are full expansions of F; 
clearly, T can be fully expanded in such a way that when- 
ever we have to make a choice which of several formulae 
to include into Ai (say, for which b £ £ to add the for- 
mula -iKh(y> A C ip) if -iC</? £ T), we choose the one 
that is actually satisfied at s\. Now, as -^(ip A £ T, 
either At,Si Ih -tip or At,Si Ih -iC<p. In the for- 
mer case, we are done straight off, as then ->(p £ A x . 
In the latter case, as At,si Ih ~^Cip, there exists a se- 
quence of states s\, S2, . . . , s m in At such that for every 
1 < i < m, we have (s,, Sj+i) £ TZb for some £ S 
and At, s TO Ih -i^j. By taking this sequence of states of 
At, we can build, in the "forcing choices" style described 
above, a sequence of states Ai, A2, . . . , A m £ S*„ such 

that, for every 1 < « < to, we have Aj — > Aj+i 
for some 6 £ S, and -199 £ A m . The existence of the path 
A, Ai , . . . , A m implies that -iC<p is realized at A in T%. 
□ 

Theorem 5.5 (Soundness) If 9 e C is satisfiable in a 
MAEM, then T e is open. 

Proof sketch. Using the preceding lemmas, show by 
induction on the number of stages in the state elimination 
process that no satisfiable state can be eliminated due to 
(E1)-(E3). The claim then follows from lemma IBTTI □ 



5.2 Completeness 

The completeness of a tableau procedure means that if the 
tableau for a formula 9 is open, then 9 is satisfiable in a 
MAEM. By making use of theorem l376l it suffices to show 
that an open tableau for 9 can be turned into a MAEHS for 
9. The construction of such a MAEHS is described in the 
following lemma. 

Lemma 5.6 IfT e is open, then there exists a MAEHS for 
9. 

Proof sketch. Let T e be open. The MAEHS H for 9 is 
built out of the so-called/na/ tree components. Each final 
tree component is a tree-like MAES with nodes labeled 
with states from S . Each component is associated with 
a state A £ S e and an eventuality £ £ eel (9); such a 
component is denoted by Ta,j . 

Now we describe how to build the final tree compo- 
nents. Let £ = -^dp £ ecl(0) and A £ S e . If £ £ A, 
then Ta.£ is a "simple tree" (i.e, one whose only inner 
node is the root) whose root is labeled with A and that 
has exactly one leaf associated with each formula of the 
form -iK. a <p or -iDip belonging to A. A leaf associated 
with formula \ is labeled by a state A' £ S e such that in 
T 6 we have A — — > A' (such a A' exists — otherwise A 
would have been eliminated from the tableau due to (E2)). 
To obtain a tree-like MAES, put (s, t) £ lZ a if s is labeled 

with A, t is labeled with A', and A A' for some <p>; 
analogously, put (s, t) £ TZd if s is labeled with A, t is 

labeled with A', and A ^ A' for some (p. 

If, on the other hand, £ = -<C(p £ A, then Ta,£ is 
constructed as follows. Since -iC<p is realized at A in T e , 
there exists a sequence of states A = Ao, Ai, . . . , A TO 
in S e such that -i<p £ A m and for every < i < to, 
A — — > A' holds for some \ of the form ->K a </? or -iDip 
(otherwise, it would have been eliminated due to (E3)). 
Take this sequence and give to each Aj (0 < i < m) 
"enough" successors, as in the previous paragraph, and 
define the relations for this tree as prescribed therein. 

We are next going to stitch the above-defined Ta^'s 
together. First, however, we note that if an eventuality 
£' belongs to A and is not realized inside some final tree 
component Ta,£ (the realization in a final tree component 
is defined as in tableaux, with substituting Ta,£ for 7^f), 
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then £' belongs to every leaf of Ta,j, and thus its real- 
ization is deferred — this is crucial to our ability to stitch 
Ta^'s up into a Hintikka structure. 

We now proceed as follows. First, we arrange all states 
of T e in a list Aq, . . . , A„_i and all eventualities occur- 
ring in the states of T e in a list £o> • • • , £m-i- We then 
think of all final tree components as arranged in an m- 
by-n grid whose rows are marked with the correspond- 
ingly numbered eventualities of T 6 and whose columns 
are marked with the correspondingly numbered states of 
T 6 . The final tree component at the intersection of the 
ith row and the jth column will be denoted by Tujy The 
building blocks for our MAEHS will all come from the 
grid. This MAEHS is built incrementally, so that at each 
stage of the construction we produce a structure realizing 
more and more eventualities. 

We start off with a final tree component that is uniquely 
determined by the input formula 9, in the following way. 
If 9 is an eventuality, i.e., 9 = £ p for some < p < to, 
then we start off with the component Tr Ptq \ where, for 
definiteness, q is the least number < n such that 9 G A q ; 
as T e is open, such a q exists. If, on the other hand, 9 is 
not an eventuality, then we start off with T(o.g), where q is 
as described above. Let's denote this initial structure by 

Hq. 

Henceforth, we proceed as follows. Informally, we 
think of the above list of eventualities as a queue of cus- 
tomers waiting to be served. Unlike the usual queues, we 
do not necessarily start serving the queue from the first 
customer (if 9 is an eventuality, then it gets served first; 
otherwise we start from the beginning of the queue), but 
then we follow the queue order, curving back to the be- 
ginning of the queue after having served its last eventual- 
ity, if we started in the middle. Serving an eventuality £ 
amounts to appending to the leaves of the structure built 
thus far final tree components realizing £. Thus, we keep 
track of what eventualities have already been served, take 
note of the one that was served the last, say £j, and re- 
place every leaf of the structure 7ii constructed thus far 
with the final tree component 7f + x,(Cj+i) mod m)- The 
process continues until all eventualities have been served, 
at which point we have gone the full cycle through the 
queue. 

After that, the cycle is repeated, for as long as the queue 
remains non-empty. Alternatively, if we want to guarantee 
that the MAEHS we are building is going to be finite, the 



cycle is repeated with the following modification: when- 
ever the component we are about to attach, say Tuj\, is 
already contained in our structure in the making, instead 
of replacing the leaf t with that component, we connect 
every "predecessor" s of t to the root of Tnj\ with the 
relation connecting s to t. This modified version of the 
cycle is repeated until we come to a point when no more 
components get added — this is bound to happen in a fi- 
nite number of steps as the number of Ta.j's is finite. It 
is now routine to check that the resultant structure 7i is a 
Hintikka structure, whose set of agents is the set of agents 
occurring in 9. By construction, it contains a node labeled 
with a set containing 9. □ 

Theorem 5.7 (Completeness) Let 9 e C and let T 9 be 

open. Then, 9 is satisfiable in a MAEM. 

Proof. Immediate from lemma [5~6| and theorem [3l)1 □ 



6 Complexity of the procedure 

Let's denote the length of the input formula 9 by n and 
the number of agents in the language by k. We assume 
that k > 1, otherwise we just deal with the modal logic 
S5. The size of the extended closure for 9 (recall defi- 
nition |4j2]i is bounded from above by 0(k n ), as each C 
operator occurring in 9 requires k formulas to be added to 
the extended closure. 

The examination of the procedure shows that the 
longest path to any state of the pretableau we cre- 
ate at the construction phase from the initial prestate 
(i.e., the one containing the input formula 9) is 
bound by the number of nested "diamond" modal- 
ities (such as -iK a ) in 9 plus 1. From any 
given state or prestate we can create at most 0(k n ) 
(pre-)states, hence the whole number of nodes we create 
is in 0(k n ). Thus, the construction phase can be done in 
time C(fc™ 2 ). 

At the prestate elimination phase, we delete at most 
0{k n ) states and for each prestate redirect at most 
0(k n ) arrows, which takes within 0(k n ) steps. 

At the state elimination stage, we first apply (El) to 
0(k n ) states, which can be done in 0(k^ 2n+n )) steps. 
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After that, we embark on the dovetailed application of 
(E2) and (E3). We proceed in circles, whose number is 
bound by 0(k n ), as at each iteration we remove at least 
one state. During each cycle, we carry out 0(k n ) times 
(the upper bound on the number of eventualities) the fol- 
lowing procedure: fist, we apply (E2) to all states, which 
can be done in time 0(k^ n+n )), and then apply (E3) 
to the pending eventuality. The latter procedure is car- 
ried out by computing a rank of each state of the tableau 
with respect to the pending eventuality. The number of 
rank updates is bound by 0(k n ), each update requiring 
(D(k( n+n ') steps, as for each state A we check the ranks 
of the targets of outgoing arrows marked by formulae in 
A. Thus, the whole state elimination phase can be carried 
out in 0(k 2nl ) steps. 

We conclude that the whole procedure can be carried 
out in 0(k 2n ) steps, where n is the size of the in- 
put formula. It follows that MAEL(CD)-satisfiability is 
in ExpTime, which together with the result from [7] 
implies that MAEL(CD)-satisfiability is ExpTime- 
complete. 

7 Concluding remarks 

We have developed a sound, complete, and complexity- 
optimal incremental-tableau-based decision procedure for 
the multi-agent epistemic logic MAEL(CD). We claim 
that this style of tableau is of immediate practical use, 
both by human and computerized execution. It is more 
efficient (within the theoretically established complexity 
bounds) and more modular and adaptable than the top- 
down tableaux of the type developed (for a fragment of 
the logic not including the D operator) in Q. In partic- 
ular, the tableaux presented lends itself to an extension to 
the full multi-agent epistemic logic, with modal operators 
of common and distributed knowledge for all coalitions 
of agents, and well as to a combination with the similar 
style tableaux developed for the Alternating-time tempo- 
ral logic ATL developed in [5 1, which are going to be the 
subject of our subsequent work. 
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